On 2020/12/30 01:10, Chris Bennett wrote:
> On Tue, Dec 29, 2020 at 07:57:58AM -0500, Daniel Jakots wrote:
> > On Tue, 29 Dec 2020 03:44:03 -0600, Chris Bennett
> > <[email protected]> wrote:
> >
> > > dmesg is always a mess (How can I fix that?)
> >
> > Hard to give a proper fix when the problem is uncertain. Assuming the
> > "mess" you're mentioning is that dmesg(8) shows previous boots as well,
> > you can take /var/run/dmesg.boot.
>
> Nope, that file is also a mess. There was a thread a while back
> mentioning this problem, but I can't remember what advice it gave.
Maybe someone can help if you show an example, it is not clear what
you mean here.
On 2020/12/30 01:44, Chris Bennett wrote:
> > There should be a second one like this
^
> >
> > 0 s:/CN=bennettconstruction.us
> > i:/C=US/O=Let's Encrypt/CN=R3
> > 1 s:/C=US/O=Let's Encrypt/CN=R3
> > i:/O=Digital Signature Trust Co./CN=DST Root CA X3
>
> I'm not getting:
> 1 s:/C=US/O=Let's Encrypt/CN=R3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Yes, I am showing what it *should* look like after I showed how
it currently looks.
> I lowered the encryption to the most permissive to rule out any problems
> with other software being out of date. Didn't help. Might have done that
> after sending this thread.
This is 100% a certificate chain problem not an encryption problem.
> > For Apache you are probably missing setting SSLCertificateChainFile,
> > if you're fetching with acme-client then this config option should point
> > at a file written with either of these options
> >
> > domain chain certificate
> > domain full chain certificate
> >
>
> So, as far as I can see, there is:
> /etc/ssl/cert.pem
> /etc/acme/letsencrypt-privkey.pem (I didn't notice this file until
> looking at acme-client.conf
> Are there any other files I didn't notice?
If you don't have a "chain certificate" option in acme-client.conf
you'll need to add one. See /etc/examples/acme-client.conf for
an example.
> > Don't use a manually fetched file for this as it will change from time
> > to time.
>
> OK, didn't know that. Thanks.
>
> I'll play around with this new info and see what I get. I'll post
> whatever works or fails either way.
> I'll also do some more reading, but not on the Apache site. I hate to
> criticize, but the documentation there just isn't maintained and is very
> dated.
Actually looking there I see my information is dated :) (still works
but not recommended).
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile
So, instead you should point SSLCertificateFile at a file produced by
"domain full chain certificate", SSLCertificateKeyFile at the "domain
key" file, and ignore what I said about SSLCertificateChainFile.
